[Feature Request] Support Docker-Socket-Proxy with mTLS certificates (remote hosts via HTTPS)

[henryxrl]

Thanks for Portracker! It's a great tool!

I'm trying to deploy Portracker in a homelab setup and ran into a limitation around remote Docker hosts.

Current setup

Right now Portracker supports connecting to docker-socket-proxy:2375, which works over plain HTTP.
In my setup though, docker-socket-proxy is always behind HTTPS with mTLS:

• Port 2375 is never exposed directly
• It's reverse-proxied to something like: https://<host>:63377
• Access requires CA + client cert + client key (mTLS)

This works fine for other tools, but Portracker currently has no way to pass TLS certs, so it can't connect.

Feature request

Would it be possible to add support for:

1. Connecting to Docker API over HTTPS
2. mTLS authentication (CA / cert / key)
3. A Dozzle-like remote host syntax, which is super convenient at scale

Dozzle already supports this pretty nicely: https://dozzle.dev/guide/remote-hosts

---

Dozzle-style syntax

Dozzle allows defining multiple remote hosts via a single env var like this:

DOZZLE_REMOTE_HOST=tcp://<remote_host_1>:63377|<remote_host_1>,tcp://<remote_host_2>:63377|<remote_host_2>,tcp://<remote_host_3>:63377|<remote_host_3>,...

Having something similar in Portracker would be huge for managing many hosts.

---

TLS / mTLS part

Ideally this would also support:

• https:// endpoints
• shared or per-host:
• CA cert
• client cert
• client key
• loaded from file paths or env vars

This would:

• avoid exposing insecure Docker APIs
• remove the need for hacky downgrade proxies
• make Portracker usable in more serious / security-conscious setups

---

Happy to help test or share config examples if you're interested.

[mostafa-wahied]

Hey, thanks for well structured issue. This actually was something I have started working on before and mTLS can currently work (at least partially) but it's undocumented. Let me explain why I haven't fully finished this feature.

When I first built portracker, my design philosophy was peer-to-peer where every instance acts as both agent and client, meaning portracker must be installed on every machine. This is because of the rich data (beyond just Docker) that I can retrieve via system/platform logic using /proc, ss, nsenter, etc., giving both Docker + system port visibility.

I did experiment with mTLS for remote Docker access but wasn't entirely sold on it, since it would be limited to Docker containers only, which I understand is fine for many use cases, but from portracker's perspective it's more limited compared to the full local installation.

That said, I now see the benefit of multi-host Docker as a complement to the current peer-to-peer model for users who only care about Docker containers, don't need system visibility, and value the convenience of one central portracker instance connected to multiple Docker hosts.

I'll be working on completing this feature, especially the multi-host functionality. In the meantime, if you want to try before I push the new changes:

environment:
   - DOCKER_HOST=tcp://your-mtls-proxy:2376
   - DOCKER_TLS_VERIFY=1
   - DOCKER_CERT_PATH=/certs
volumes:
   - ./certs:/certs:ro  # Must contain ca.pem, cert.pem, key.pem

[henryxrl]

Thank you for your detailed reply. I suppose the code snippet you provided only support single remote host. If that's correct, I'll wait to try it out after your development. Excited for your implementation! Good work!